Remove Secret listener from controller (#2830)

* Remove Secret listener from controller

* fix integration test

* remove list and watch action from controller manager rbac

charts/catalog/templates/rbac.yaml

@@ -16,7 +16,7 @@ rules:
     # TODO: do not grant global access, limit to particular secrets referenced from servicebindings
     - apiGroups: [""]
       resources: ["secrets"]
-      verbs:     ["get","create","update","delete", "list", "watch"]
+      verbs:     ["get","create","update","delete"]
     - apiGroups: [""]
       resources: ["pods"]
       verbs:     ["get","list","update", "patch", "watch", "delete", "initialize"]

cmd/controller-manager/app/controller_manager.go

@@ -59,7 +59,6 @@ import (
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	"k8s.io/client-go/informers"
 	"k8s.io/klog"
 )
 
@@ -303,10 +302,7 @@ func StartControllers(s *options.ControllerManagerServer,
 	if err != nil {
 		klog.Fatal(err)
 	}
-	klog.V(5).Infof("Creating shared informers; resync interval: %v", s.ResyncInterval)
-
-	coreInformerFactory := informers.NewSharedInformerFactory(coreClient, s.ResyncInterval)
-	coreInformers := coreInformerFactory.Core()
+	klog.V(5).Infof("Creating shared informer; resync interval: %v", s.ResyncInterval)
 
 	// Build the informer factory for service-catalog resources
 	informerFactory := servicecataloginformers.NewSharedInformerFactory(
@@ -319,7 +315,6 @@ func StartControllers(s *options.ControllerManagerServer,
 	klog.V(5).Infof("Creating controller; broker relist interval: %v", s.ServiceBrokerRelistInterval)
 	serviceCatalogController, err := controller.NewController(
 		coreClient,
-		coreInformers.V1().Secrets(),
 		serviceCatalogClientBuilder.ClientOrDie(controllerManagerAgentName).ServicecatalogV1beta1(),
 		serviceCatalogSharedInformers.ClusterServiceBrokers(),
 		serviceCatalogSharedInformers.ServiceBrokers(),
@@ -345,11 +340,9 @@ func StartControllers(s *options.ControllerManagerServer,
 
 	klog.V(1).Info("Starting shared informers")
 	informerFactory.Start(stop)
-	coreInformerFactory.Start(stop)
 
 	klog.V(5).Info("Waiting for caches to sync")
 	informerFactory.WaitForCacheSync(stop)
-	coreInformerFactory.WaitForCacheSync(stop)
 
 	klog.V(5).Info("Running controller")
 	go serviceCatalogController.Run(s.ConcurrentSyncs, stop)

pkg/controller/case_test.go

@@ -48,7 +48,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	k8sinformers "k8s.io/client-go/informers"
 	fakek8s "k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/tools/record"
 )
@@ -107,9 +106,6 @@ func newControllerTest(t *testing.T) *controllerTest {
 
 	fakeOSBClient := fakeosb.NewFakeClient(fixtureHappyPathBrokerClientConfig())
 
-	coreInformerFactory := k8sinformers.NewSharedInformerFactory(k8sClient, time.Minute)
-	coreInformers := coreInformerFactory.Core()
-
 	scClient := fakesc.NewSimpleClientset()
 	informerFactory := scinformers.NewSharedInformerFactory(scClient, 0)
 	serviceCatalogSharedInformers := informerFactory.Servicecatalog().V1beta1()
@@ -136,7 +132,6 @@ func newControllerTest(t *testing.T) *controllerTest {
 
 	testController, err := controller.NewController(
 		k8sClient,
-		coreInformers.V1().Secrets(),
 		scClient.ServicecatalogV1beta1(),
 		serviceCatalogSharedInformers.ClusterServiceBrokers(),
 		serviceCatalogSharedInformers.ServiceBrokers(),
@@ -167,9 +162,7 @@ func newControllerTest(t *testing.T) *controllerTest {
 	// start and sync informers
 	testCase.stopCh = make(chan struct{})
 	informerFactory.Start(testCase.stopCh)
-	coreInformerFactory.Start(testCase.stopCh)
 	informerFactory.WaitForCacheSync(testCase.stopCh)
-	coreInformerFactory.WaitForCacheSync(testCase.stopCh)
 
 	// start the controller
 	go testController.Run(1, testCase.stopCh)

pkg/controller/controller.go

@@ -52,8 +52,6 @@ import (
 	scfeatures "github.com/kubernetes-sigs/service-catalog/pkg/features"
 	"github.com/kubernetes-sigs/service-catalog/pkg/filter"
 	"github.com/kubernetes-sigs/service-catalog/pkg/pretty"
-	v12 "k8s.io/client-go/informers/core/v1"
-	"k8s.io/client-go/listers/core/v1"
 )
 
 const (
@@ -78,7 +76,6 @@ const (
 // NewController returns a new Open Service Broker catalog controller.
 func NewController(
 	kubeClient kubernetes.Interface,
-	secretInformer v12.SecretInformer,
 	serviceCatalogClient servicecatalogclientset.ServicecatalogV1beta1Interface,
 	clusterServiceBrokerInformer informers.ClusterServiceBrokerInformer,
 	serviceBrokerInformer informers.ServiceBrokerInformer,
@@ -100,7 +97,6 @@ func NewController(
 ) (Controller, error) {
 	controller := &controller{
 		kubeClient:                  kubeClient,
-		secretLister:                secretInformer.Lister(),
 		serviceCatalogClient:        serviceCatalogClient,
 		brokerRelistInterval:        brokerRelistInterval,
 		OSBAPIPreferredVersion:      osbAPIPreferredVersion,
@@ -205,7 +201,6 @@ type controller struct {
 	bindingLister               listers.ServiceBindingLister
 	clusterServicePlanLister    listers.ClusterServicePlanLister
 	servicePlanLister           listers.ServicePlanLister
-	secretLister                v1.SecretLister
 	brokerRelistInterval        time.Duration
 	OSBAPIPreferredVersion      string
 	OSBAPITimeOut               time.Duration
@@ -693,7 +688,7 @@ func (c *controller) getAuthCredentialsFromClusterServiceBroker(broker *v1beta1.
 	authInfo := broker.Spec.AuthInfo
 	if authInfo.Basic != nil {
 		secretRef := authInfo.Basic.SecretRef
-		secret, err := c.secretLister.Secrets(secretRef.Namespace).Get(secretRef.Name)
+		secret, err := c.kubeClient.CoreV1().Secrets(secretRef.Namespace).Get(context.TODO(), secretRef.Name, metav1.GetOptions{})
 		if err != nil {
 			return nil, err
 		}
@@ -706,7 +701,7 @@ func (c *controller) getAuthCredentialsFromClusterServiceBroker(broker *v1beta1.
 		}, nil
 	} else if authInfo.Bearer != nil {
 		secretRef := authInfo.Bearer.SecretRef
-		secret, err := c.secretLister.Secrets(secretRef.Namespace).Get(secretRef.Name)
+		secret, err := c.kubeClient.CoreV1().Secrets(secretRef.Namespace).Get(context.TODO(), secretRef.Name, metav1.GetOptions{})
 		if err != nil {
 			return nil, err
 		}
@@ -731,7 +726,7 @@ func (c *controller) getAuthCredentialsFromServiceBroker(broker *v1beta1.Service
 	authInfo := broker.Spec.AuthInfo
 	if authInfo.Basic != nil {
 		secretRef := authInfo.Basic.SecretRef
-		secret, err := c.secretLister.Secrets(broker.Namespace).Get(secretRef.Name)
+		secret, err := c.kubeClient.CoreV1().Secrets(broker.Namespace).Get(context.TODO(), secretRef.Name, metav1.GetOptions{})
 		if err != nil {
 			return nil, err
 		}
@@ -744,7 +739,7 @@ func (c *controller) getAuthCredentialsFromServiceBroker(broker *v1beta1.Service
 		}, nil
 	} else if authInfo.Bearer != nil {
 		secretRef := authInfo.Bearer.SecretRef
-		secret, err := c.secretLister.Secrets(broker.Namespace).Get(secretRef.Name)
+		secret, err := c.kubeClient.CoreV1().Secrets(broker.Namespace).Get(context.TODO(), secretRef.Name, metav1.GetOptions{})
 		if err != nil {
 			return nil, err
 		}

pkg/controller/controller_test.go

@@ -46,7 +46,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/client-go/informers"
 	clientgofake "k8s.io/client-go/kubernetes/fake"
 	clientgotesting "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/record"
@@ -2429,15 +2428,11 @@ func newTestController(t *testing.T, config fakeosb.FakeClientConfiguration) (
 	informerFactory := servicecataloginformers.NewSharedInformerFactory(fakeCatalogClient, 0)
 	serviceCatalogSharedInformers := informerFactory.Servicecatalog().V1beta1()
 
-	k8sInformerFactory := informers.NewSharedInformerFactory(fakeKubeClient, 0)
-	k8sInformers := k8sInformerFactory.Core().V1()
-
 	fakeRecorder := record.NewFakeRecorder(5)
 
 	// create a test controller
 	testController, err := NewController(
 		fakeKubeClient,
-		k8sInformers.Secrets(),
 		fakeCatalogClient.ServicecatalogV1beta1(),
 		serviceCatalogSharedInformers.ClusterServiceBrokers(),
 		serviceCatalogSharedInformers.ServiceBrokers(),